This can occur if an Open Directory server has been down for an extended period of time, or if a replica is created when there are more than 11000 objects in the LDAP datastore. 11000 is the default maximum number of objects that can returned in a search.

Allow the _ldap_replicator user to override the search limit. This is done by changing the LDAP server configuration on every Open Directory server. This involves authenticating as the directory administrator and running some LDAP modification commands in Terminal. The search base, also known as naming context, for the LDAP server also needs to be known.

The following steps can be used to accomplish this.

First, find the search base for the LDAP server

Find the search base for the LDAP server. This is usually the fully qualified domain name of the server with dc= prepended to each label and the periods changed to commas.

For example, a server with hostname server.example.com would have a default search base of “dc=server,dc=example,dc=com”. The search base can be verified by querying the LDAP server itself with the following Terminal command:

ldapsearch -x -LLL -b “” -s base namingContexts

Look for the line containing namingContexts and the search base will be after the colon as in the example output below.

dn:
namingContexts: dc=server,dc=example,dc=com

Second, obtain the kerberos credentials for the directory administrator

The default name for this user is diradmin but the name could have been changed when the Open Directory master was created. This is done using the kinit command in Terminal. Run the following command, substituting the correct name for the directory administrator for diradmin if necessary, and enter the password when prompted for it. There is no output.

kinit diradmin

Next, use ldapmodify in interactive mode in Terminal to make the changes. Simply execute the following in Terminal=:

ldapmodify

Note: This will output a few SASL messages and wait for input. On success, the SASL output should look something like this:

Modify the configuration

Lastly, make the modifications to the configuration. This requires all the text below be entered in the Terminal window as input to the ldapmodify command. The search base has to be substituted for [search base] below. The brackets need to be removed also.